We're trying to test out WSO2 API manager and having troubles adding some APIs. MailChimp was added easily because MC has not OAuth Credentials itself. But when trying to add Facebook or another API that has it's own API manager it doesn't work and constantly get a 401 Unauthorized. This is becaused both Facebook and WSO2 API Manager need OAuth tokens and obviously you can only send one Authorization header. Any help here?
WSO2 ApiManager 1.0 still does not support (OAuth) secured back-end services out of the box. Hence it is not possible to register facebook, twitter apis via APIM.
Right now, an application is sending and authorization header to the APIM with a key issued by the APIM. Ideally if you send another authorization header, that will be forwarded to facebook api, but at the API Gateway level you need to remove the processed header which belongs to the APIM authorization.
Adding backend services with security will be added as a new feature to APIM future releases.
Regards,
/Nuwan
Can you please explain why you want to use the API manager here? You can directly send your request to Facebook where the request is authorised.
Related
We have enterprise connector that has been designed and developed to access SharePoint resources via standard REST API calls from our platform to SharePoint. The authentication mechanism utilized by the enterprise connector is a standard OAuth 2.0 authentication using Client ID, Client Secret and resource to obtain an access token from a known IDP (accounts.accesscontrol.windows.net). The access token obtained in the previous call is used, as an Authorization header, for authorization to the SharePoint instance in subsequent REST API calls. The REST API requests are sent to a direct SharePoint URL (i.e. ourcompany.sharepoint.com) and are serviced by that service instance.
In the case of trying to use the standard enterprise connector with the SharePoint Online instance for this customer, the SharePoint URL that we have been instructed to send API requests to is an internal URL and is using Auto-Acceleration. All requests to this URL are forwarded to a federated authentication system maintained by the customer. All API requests sent to this URL are answered with error code -2147024891 System.UnauthorizedAccessException - "Access denied. You do not have permission to perform this action or access this resource." This is the also the case when sending API requests from a tool such as Postman - as to eliminate the authentication used by the enterprise connector as root cause of the access denial.
The solution we're seeking is the proper avenue to access the REST API services on this SharePoint Online instance. Is there a different authentication mechanism required in this scenario? Are there different API endpoints required to access SharePoint resources in this situation? Additional configuration required to allow access?
Any suggestions and/or guidance are appreciated.
I have a Java app running under Websphere Liberty on IBM Bluemix. I need to be able to authenticate users 3 different ways - Basic Auth, SAML SSO, and OpenAuth SSO, in that order.
I can set up the app to do Basic Auth (using custom code) or SAML SSO (using the Bluemix Single Sign On service), but can't figure out a way to configure it to handle both at once. (I haven't even looked into how to do OpenAuth yet.) If I configure the app to use the Bluemix SSO service, then my app never sees the incoming requests to check for a userid and password to try Basic Auth before the SSO service grabs it.
I tried changing the redirect URL in the SSO service to an endpoint inside my app, but then all I get is
CWOAU0062E: The OAuth service provider could not redirect the request because the redirect URI was not valid. Contact your system administrator to resolve the problem.
I can't be the only one that needs to do this. Can anyone tell me how they did it?
Our OAuth 2.0 server expects the client credentials for the auth-code-to-token exchange to be in a Basic HTTP Auth header, a common strategy detailed in the OAuth 2.0 RFC. Is there a flag that can be set on our account to enable this?
It does not appear we are exposing this setting via the Actions Console, but we do support this for properly configured clients.
I have reached out to the team responsible for Actions Console and will update this answer with instructions once we support this option.
We are also facing similar issue. Our OAuth 2.0 server expects client credentials should be coming in Basic HTTP Auth header, but looks like from the Actions console it is coming as a part of request body. As you have mentioned that provision is there in your infrastructure, so if you can have that provision in Actions console as well to send client credentials in Basic Auth header it would be great !
We are using WS02 ESB to create cloud app connections to our platform.
Our current issue: If we want to connect to any app (take salesforce as an example), we need the following details:
UserName
Password
Token
As a pre-requisite, the salesforce account should be API enabled.
We thought of using SSO in backend to avoid (3) and (4), but it's not possible with SAML(SSO).We are looking into ways to connect and publish data to salesforce with just Username(1)/Password(2). In this process of evaluation, SSO is one of the options
Any suggestions on how we can get the below details for APPS would be much appreciated!
• How do we get Token
• How we accept only the accounts where API's are enabled.
As far as I understand what you need is to call an SAML SSO secured backend app (i.e :- salesforce)?. If its the case you may use WSO2 Identity server for this purpose.You can obtain tokens from it.Further You can use this guide and this to call SAML secured backends through ESB.
Hope this helps.
You can use ESB Connectors to connect with Salesforce API. You can find Salesforce SOAP connector (which uses the username, password, and security token for authentication), Salesforce REST connector (which uses OAuth protocol) and Salesforce bulk connector (which also uses OAuth protocol) at WSO2 Store.
In WSO2 we have 150+ ESB connectors to communicate with third party API's via ESB. You can download the connector from WSO2 Store and can follow the documentation here. In connectors we have the mechanism to connect the third party API's(For Example In salesforce SOAP based connector we had the username password flow and for Salesforce REST connector we had oAuth 2.0 flow and the username password flow). In all connectors you just call the init method to get the Token to access the API.
We are implementing RESTful service and the entire backend application using Vert.x. These API's are consumed by a hybrid mobile app (developed using Ionic / angularjs). We are using Keycloak for user management and also authentication and authorization on the app.
My question is, how can I use Keycloak to also protect (authenticate and authorize for the same set of users) my RESTful service access which is implemented using Vert.x. Any example implementation would be very useful.
We wrote a custom Vert.x auth provider using the Keycloak core library to solve this exact problem (the Vert.x JWT library doesn't work with the Keycloak JWT tokens - arguably we should have improved the Vert.x library instead). I'll see if I can get permission to open source the library.
So, if i understand correctly, you need one authentication entry point for user in mobile app and in REST service. If i am right, you can use JWT. When user will authenticate with Keycloak he will receive jwt with roles and user information. This token you can put into request for REST service and your Service will know who is the user and what roles he have. Please see https://jwt.io/